Vietnam's APT32 Marks a New Chapter in Cyber-espionage

An advanced threat group that conducts targeted intrusions at large multinational businesses with interests in Vietnam has been brought to light, code-named APT32.

According to FireEye, the group has carried out compromises in firms across multiple industries and targeted foreign governments, dissidents and journalists—and its activity aligns with Vietnamese state interests. Its targets are headquartered in Germany, China, the Philippines, the US, the UK and Vietnam. Several of them are household names.

China is known for economic espionage, Russia for political espionage and financial crime, and their two satellite allies North Korea and Iran are known for destructive attacks. APT32 is changing the game as the first advanced persistent threat group outside of this axis.

FireEye said that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools—and that it has been targeting foreign corporations with a vested interest in Vietnam’s manufacturing, consumer products and hospitality sectors since at least 2014. For instance, in an attack in mid-2016, malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam. Furthermore, there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations, as well as consulting firms that may have connections with foreign investors.

“The targeting of private sector interests by APT32 is notable, and FireEye believes the actor poses significant risk to companies doing business in, or preparing to invest in, [Vietnam],” FireEye said in its report on the group. “While the motivation for each APT32 private sector compromise varied—and in some cases was unknown—the unauthorized access could serve as a platform for law enforcement, intellectual property theft or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations.

Political activity is part of the purview as well, with APT32 threatening political activism and free speech in Southeast Asia and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora have all been targets.

For instance, in 2014, APT32 leveraged a spear-phishing attachment titled “Plans to crackdown on protesters at the Embassy of Vietnam.exe," which targeted dissident activity among the Vietnamese diaspora in Southeast Asia. Also in 2014, APT32 carried out an intrusion against a Western country’s national legislature.

APT32 actors generally rely on social engineering and spear phishing to deliver malicious email attachments. From there, backdoors are installed to carry out espionage and exfiltration, while stealthy techniques are used to blend in with legitimate user activity. The group also has the ability to inject and execute arbitrary code into processes for causing damage down the road.

While actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats, APT32 demonstrates how newly-available tools and techniques give even less-resourced nation-states access to advanced capabilities.

“As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets,” the firm concluded.